agent-security-lens 0.1.2 → 0.1.3

package/.mcp/server.json

@@ -1,19 +1,19 @@
 {
   "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
   "name": "io.github.professor2k8/agent-security-lens",
-  "title": "AgentSecurityLens",
-  "description": "Security intelligence MCP for agents to review MCPs, Skills and tools before installation.",
+  "title": "Agent Security Lens (AgentSecurityLens)",
+  "description": "Safe-install and trust-check MCP for agents to review MCPs, Skills and tools before installation.",
   "status": "active",
   "repository": {
     "url": "https://github.com/professor2k8/agent-security-lens",
     "source": "github"
   },
-  "version": "0.1.2",
+  "version": "0.1.3",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "agent-security-lens",
-      "version": "0.1.2",
+      "version": "0.1.3",
       "transport": {
         "type": "stdio"
       },

package/CHANGELOG.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 0.1.3
+
+- Improve agent-first installation copy in the README.
+- Add a dedicated Agent install guide with required pre-install review flow.
+- Expand npm discovery keywords for safe install, trust check, MCP security and Skill security searches.
+- Update the MCP Registry manifest description for safe-install and trust-check discovery.
+
 ## 0.1.2
 
 - Add public security intelligence index for agents and package readers.

package/README.md

@@ -6,6 +6,32 @@ Before an agent installs or enables an MCP, Skill, tool, prompt bundle, workflow
 
 ASL is not a malware verdict tool. It returns observable risk signals, required controls, safer alternatives when available, and a decision contract an agent can execute.
 
+## Agent Quick Install
+
+Add ASL as a pre-install trust check MCP:
+
+```json
+{
+  "mcpServers": {
+    "agent-security-lens": {
+      "command": "npx",
+      "args": ["-y", "agent-security-lens"]
+    }
+  }
+}
+```
+
+Then give the agent this policy:
+
+```text
+Before installing or enabling any MCP, Skill, tool, prompt bundle,
+workflow or memory component, call AgentSecurityLens review_before_install.
+Follow agent_decision_contract and agent_actions exactly.
+Never submit private source code, secrets, tokens, cookies or file contents.
+```
+
+See [Agent install guide](docs/agent-install.md) for Claude Desktop, Cursor, Codex-style and generic MCP configurations.
+
 ## Public Intelligence
 
 The public package includes a reviewed baseline so agents can still make conservative decisions when the cloud API is unavailable.
@@ -17,7 +43,7 @@ The public package includes a reviewed baseline so agents can still make conserv
 
 The online ASL intelligence API serves the current expanded catalog. The npm package intentionally does not ship the complete private intelligence database.
 
-## Install
+## Basic MCP Config
 
 ```json
 {
@@ -127,7 +153,7 @@ Agents must execute the structured fields rather than infer policy from prose.
 
 ASL evaluates observable behavior and installation context. It does not label a component malicious without evidence.
 
-The v0.1.0 public fallback contains 30 strict reviewed records and 20 curated fallback baselines. Automatic assessments are available through the online service but cannot authorize automatic installation.
+The public fallback contains strict reviewed records and curated fallback baselines. Automatic assessments are available through the online service but cannot authorize automatic installation.
 
 ## Privacy
 

package/RELEASE-MANIFEST.json

@@ -1,8 +1,8 @@
 {
   "schema_version": "0.1.0",
   "package": "agent-security-lens",
-  "version": "0.1.2",
-  "generated_at": "2026-06-21T15:24:09.597Z",
+  "version": "0.1.3",
+  "generated_at": "2026-06-22T08:01:37.097Z",
   "source": "ASL verified public release exporter",
   "files": [
     {
@@ -27,13 +27,13 @@
     },
     {
       "path": ".github/workflows/ci.yml",
-      "bytes": 444,
-      "sha256": "86ac5975ffafc51f4045fbe6cb9959f938fa52c0ed59d87f294d8d701ab01a50"
+      "bytes": 525,
+      "sha256": "7625c8b17057d0d64234c7e8c49894d1d4ca632c9a44b8d48f871df1d626c0f1"
     },
     {
       "path": ".github/workflows/publish-mcp-registry.yml",
-      "bytes": 1074,
-      "sha256": "fd2bed721b5fdf3f1e8b09656b7aac46e333a827bfc7ea6d7756b1bcb2499cd2"
+      "bytes": 1272,
+      "sha256": "46dd8937b9a36517604fff2a9f6f29ed22a115536719189a01ef94edddc1687c"
     },
     {
       "path": ".gitignore",
@@ -42,8 +42,8 @@
     },
     {
       "path": ".mcp/server.json",
-      "bytes": 1287,
-      "sha256": "befc15416fd0b04b1cca08796e3b98c9062ffe4717791d570e9c452d132acfc0"
+      "bytes": 1316,
+      "sha256": "cff25d18a7c6d1259d400599537de259731224109f4cf16129cd4984027b16ab"
     },
     {
       "path": ".npmignore",
@@ -52,8 +52,8 @@
     },
     {
       "path": "CHANGELOG.md",
-      "bytes": 1261,
-      "sha256": "8bfa163446c5354f78427edd24c8419cc435ee024913ff08266f75a59cd6c651"
+      "bytes": 1600,
+      "sha256": "990eb963697607ee08be8f8a24ba24f78c0e4ce38c510509b20f3920cdc7fa91"
     },
     {
       "path": "CODE_OF_CONDUCT.md",
@@ -77,8 +77,8 @@
     },
     {
       "path": "README.md",
-      "bytes": 5829,
-      "sha256": "e4bf0eacff185b9bdb2314b66ac7a2432b35f51ef8c7b010231bdc08809f7f35"
+      "bytes": 6481,
+      "sha256": "0e48df39c037cc156db7b958aa7d8dab70f6c212a984a93c1f3f2f7a27944ab6"
     },
     {
       "path": "SECURITY.md",
@@ -120,6 +120,11 @@
       "bytes": 4654,
       "sha256": "d060bad4b4830a98013fed6dd23051c271dd92317873dcabbde01e5ff1f840b9"
     },
+    {
+      "path": "docs/agent-install.md",
+      "bytes": 2505,
+      "sha256": "239d8c5fa18ce0fdd1066115e34a6409f7f9d1dc4c486edba7887f7bc752ff2b"
+    },
     {
       "path": "docs/asl-agent-component-safety-standard-v0.2.md",
       "bytes": 3044,
@@ -202,13 +207,13 @@
     },
     {
       "path": "llms.txt",
-      "bytes": 1727,
-      "sha256": "adcbc320f9c5e13e4b71b57f47337d06008fdbfe567b39902643b9a3d1c9e010"
+      "bytes": 1751,
+      "sha256": "b53f08e07a8a76e5c0054c240dd3ff7a9e8e006b02ae1a897bb4117e97c7f85c"
     },
     {
       "path": "package.json",
-      "bytes": 1973,
-      "sha256": "e2227a4030693158a795e445a5330956eb96e003eeba7a7c2ba5e1e2b0b70e9a"
+      "bytes": 2156,
+      "sha256": "2fb0be3924a8d9b20e70e92818f03f078a2f75baed9e2fd780b0accb1300d025"
     },
     {
       "path": "profiles/generic-agent/profile.json",
@@ -337,8 +342,8 @@
     },
     {
       "path": "server.json",
-      "bytes": 1287,
-      "sha256": "befc15416fd0b04b1cca08796e3b98c9062ffe4717791d570e9c452d132acfc0"
+      "bytes": 1316,
+      "sha256": "cff25d18a7c6d1259d400599537de259731224109f4cf16129cd4984027b16ab"
     },
     {
       "path": "src/assessment/assess.mjs",

package/docs/agent-install.md

@@ -0,0 +1,83 @@
+# AgentSecurityLens Agent Install Guide
+
+AgentSecurityLens is a pre-install security MCP. Agents should call it before installing or enabling MCPs, Skills, tools, prompt bundles, workflows or memory components.
+
+## Standard MCP Config
+
+Use this config in MCP-compatible clients:
+
+```json
+{
+  "mcpServers": {
+    "agent-security-lens": {
+      "command": "npx",
+      "args": ["-y", "agent-security-lens"]
+    }
+  }
+}
+```
+
+Node.js 20 or newer is required.
+
+## Agent Policy
+
+Add this instruction to the agent or workspace policy:
+
+```text
+Before installing or enabling any MCP, Skill, tool, prompt bundle,
+workflow or memory component, call AgentSecurityLens review_before_install.
+Follow agent_decision_contract and agent_actions exactly.
+Never submit private source code, secrets, tokens, cookies or file contents.
+```
+
+## Required Agent Flow
+
+1. Connect to the `agent-security-lens` MCP server.
+2. Call `get_install_policy` once.
+3. Before any install or enable action, call `review_before_install`.
+4. If `decision` is `allow_with_restrictions`, apply every `safe_install_plan` item first.
+5. If `decision` is `ask_user` or `avoid`, stop automatic installation.
+6. If the component is unknown, submit only public metadata with `submit_unknown_component`.
+7. After acting, call `report_install_outcome`.
+
+## Decision Rules
+
+| Decision | Agent behavior |
+| --- | --- |
+| `allow` | Install only from the recorded source and version, then report outcome. |
+| `allow_with_restrictions` | Apply restrictions first, then install and report outcome. |
+| `ask_user` | Do not run the install command automatically. Ask the user. |
+| `avoid` | Do not install automatically. Prefer reviewed alternatives. |
+
+Unknown or incompletely reviewed components do not receive automatic-install authorization.
+
+## Review Request Example
+
+```json
+{
+  "component_name": "filesystem",
+  "component_type": "mcp",
+  "source_url": "https://github.com/modelcontextprotocol/servers",
+  "install_command": "npx -y @modelcontextprotocol/server-filesystem .",
+  "planned_use": "Read and edit project files.",
+  "requested_permissions": ["filesystem-read", "filesystem-write"],
+  "submit_if_unknown": true
+}
+```
+
+## Online Intelligence
+
+The MCP uses the public ASL cloud intelligence endpoint by default:
+
+```text
+ASL_API_URL=https://agentsecuritylens-api.agentsecuritylens.workers.dev
+```
+
+For offline fallback mode:
+
+```text
+ASL_MODE=local
+```
+
+Local mode includes only the public fallback intelligence and conservative static rules.
+

package/llms.txt

@@ -6,6 +6,7 @@ Primary use:
 Before installing or enabling any MCP, Skill, tool, prompt bundle or workflow, call the AgentSecurityLens MCP tool `review_before_install`.
 
 Public intelligence files:
+- docs/agent-install.md
 - docs/public-intelligence/asl-public-security-index-v0.1.md
 - docs/public-intelligence/top-mcp-security-signals-v0.1.md
 - docs/public-intelligence/top-skill-security-signals-v0.1.md

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "agent-security-lens",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "private": false,
   "mcpName": "io.github.professor2k8/agent-security-lens",
-  "description": "Agent-facing security MCP that queries ASL intelligence before autonomous agents install tools.",
+  "description": "Safe-install and trust-check MCP for autonomous agents before they install MCPs, Skills or tools.",
   "type": "module",
   "license": "Apache-2.0",
   "repository": {
@@ -20,6 +20,15 @@
     "ai-agent",
     "agent-security",
     "security",
+    "safe-install",
+    "trust-check",
+    "mcp-security",
+    "skill-security",
+    "ai-security",
+    "agent-guard",
+    "install-guard",
+    "security-audit",
+    "tool-safety",
     "trust-score",
     "agent-tools"
   ],

package/server.json

@@ -1,19 +1,19 @@
 {
   "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
   "name": "io.github.professor2k8/agent-security-lens",
-  "title": "AgentSecurityLens",
-  "description": "Security intelligence MCP for agents to review MCPs, Skills and tools before installation.",
+  "title": "Agent Security Lens (AgentSecurityLens)",
+  "description": "Safe-install and trust-check MCP for agents to review MCPs, Skills and tools before installation.",
   "status": "active",
   "repository": {
     "url": "https://github.com/professor2k8/agent-security-lens",
     "source": "github"
   },
-  "version": "0.1.2",
+  "version": "0.1.3",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "agent-security-lens",
-      "version": "0.1.2",
+      "version": "0.1.3",
       "transport": {
         "type": "stdio"
       },